Simple text version follows

UNITED NATIONS
Office of Internal Oversight Services
UNHCR Audit Service
Assignment AR2006/166/04 9 March 2007
Audit Report R07/R005
AUDIT OF UNHCR INFORMATION AND COMMUNICATIONS TECHNOLOGY
MANAGEMENT
Auditors:
Leonard Gauci
Ottavia Cova
-----------------------------------------------------------------------------------------
UNITED NATIONS NATIONS UNIES
Office of Internal Oversight Services
UNHCR Audit Service
AUDIT OF UNHCR INFORMATION AND COMMUNICATIONS TECHNOLOGY
MANAGEMENT (AR2006/166/04)
EXECUTIVE SUMMARY
In June and July 2006, OIOS conducted an audit of UNHCR's Information and Communications
Technology Management function at its Headquarters in Geneva. UNHCR's core ICT functions
fall under the responsibility of the Division of Information Systems and Telecommunications
(DIST). The core application system is MSRP (Management Systems Renewal Project), which is
an Enterprise Resource Planning system.
Overall Assessment
� The audit did not reveal major weaknesses. Nonetheless, a number of measures should be
taken to strengthen the governance and administrative structure of the overall ICT operations.
In OIOS' opinion, the implementation of the recommendations set out in the report would bring
the management of ICT more in line with best practices and would demonstrate management's
commitment to ensuring proper control in this area. OIOS was pleased to note that the Director
of DIST has accepted the recommendations made and is in the process of implementing them.
Audit Findings and Recommendations
� An ICT Governance Board was set up in May 2006, dealing with ICT initiatives. In OIOS'
view, its roles and responsibilities should be extended to include the oversight and coordination
of all ICT strategic and policy matters in UNHCR. There should be a mechanism for
monitoring and reporting to the Board the actual costs and results of each project against the
approved budgets and plans.
� There are still ICT matters in UNHCR that do not fall under the mandate of DIST. OIOS
recommended that DIST be assigned full responsibility for all ICT products and services. This
would avoid duplication and inefficiency and make it easier to implement consistent ICT
policies and methodologies.
� UNHCR should clarify its position with regard to the application of ICT-related instructions
issued by the UN Secretariat, and take the initiative to establish a framework for exchanging
information and know-how. For instance, DIST could consider adopting a methodology for the
development of new systems already in use in the UN and apply this on a consistent basis.
� UNHCR should develop and implement an Information Management strategy. This will define
mission-critical information and identify any businesses processes that need to be modified in
order to take full advantage of the facilities afforded to UNHCR by its automated systems.
-----------------------------------------------------------------------------------------
� DIST should carry out a post-implementation review of MSRP to evaluate the investment
made and ensure that users take full advantage of the facilities offered by the system. Lessons
learned can be applied to on-going and future projects.
� The budgeting process for DIST should be reviewed and linked to funding. DIST is already
using the UN International Computing Centre's hosting services and should look at other areas
where outsourcing may be advantageous, as well as opportunities for synergy within the UN
system. There are no service agreements between DIST and the various user units in UNHCR.
Linking funding to service agreements should bring about more accountability and transparency
in the use of funds for ICT services and products.
� DIST does not have the autonomy to use training funds for its staff with ICT functions,
including those in field locations, and there are no established criteria for the allocation of such
funds. DIST should be assigned a budget for training staff with ICT functions to meet the
obligations contracted in service agreements, and should be allowed to apply the funds in line
with a set of criteria approved by the ICT Governance Board. With regard to user training in IT
skills, the Board has approved a business case for training that leads to European Computer
Driving Licence certification and this should be implemented without delay.
� The working group entrusted with developing a security policy for UNHCR should conduct a
risk analysis and all policies and procedures and documentation should be compiled in a
controlled security manual. This group should review the existing audit trails and security
reports for improvement and implement a policy for their review. OIOS recommended the
appointment of a Chief Information Security Officer to be the first point of contact for all
matters related to computer security. In OIOS' opinion, this is an opportune time to evaluate the
effectiveness of the system's security features and those of the network infrastructure by
conducting penetration tests.
� UNHCR does not have a comprehensive business continuity plan. OIOS recommended that
the High Commissioner sets up a task force to deal with all matters relating to business
continuity planning, including the categorization of mission-critical systems and data, and to
draw up a project plan for its implementation.
� DIST was not aware of all the systems and databases that have been developed by end-users
and run on stand-alone PCs. This may result in duplication of systems and waste of effort while
reports presented to management for decision-making may contain inaccurate data. An
electronic register that would record details of all the ICT applications should be set up. DIST
should periodically provide users with guidelines that will highlight the risks related to end user
computing and provide guidance on safeguards and best practices to mitigate these risks.
March 2007
-----------------------------------------------------------------------------------------
TABLE OF CONTENTS
CHAPTER Paragraphs
I. INTRODUCTION 1�3
II. AUDIT OBJECTIVES 4
III. AUDIT SCOPE AND METHODOLOGY 5�6
IV. AUDIT FINDINGS AND RECOMMENDATIONS
A. Governance 7 - 20
B. Planning and Organization 21 - 29
C. Financial Management and Human Resources 30 � 37
D. Implementation and maintenance of systems 38 - 43
E. IT Security and Safety 44 - 64
F. Management and Procurement of IT Assets 65 - 69
V. ACKNOWLEDGEMENT 70
-----------------------------------------------------------------------------------------
I. INTRODUCTION
1. During June and July 2006, OIOS conducted an audit of UNHCR's Information and
Communications Technology Management at its Headquarters in Geneva. The audit was
conducted in accordance with the International Standards for the Professional Practice of Internal
Auditing.
2. UNHCR's core ICT functions fall under the responsibility of the Division of Information
Systems and Telecommunications (DIST). The Director of DIST who is the Chief Information
Officer (CIO) reports to the Deputy High Commissioner. In 2002 UNHCR started to implement
MSRP (Management Systems Renewal Project) which is an Enterprise Resource Planning system.
The implementation of the Human Resources/Global Payroll modules in 2007 will complete the
core aspects of this project.
3. A draft of this report was shared with the Director of DIST in November 2006. The
comments, which were received in January and March 2007, are reflected in this final report. The
Director of DIST has accepted most of the audit recommendations made and is in the process of
implementing them.
II. AUDIT OBJECTIVES
4. The main objectives of the audit were to:
� Assess UNHCR's ICT governance and organizational structure
� Determine requirements for the successful implementation of UNHCR's ICT strategy
� Assess UNHCR's practices and plans for ICT against the global ICT strategy of the UN Secretariat
� Identify areas of ICT that require the attention of UNHCR's management to bring them in line
with best practice
III. AUDIT SCOPE AND METHODOLOGY
5. The audit addressed the general management of ICT in UNHCR and focused on the
relevant areas of Information Technology controls that fall under the responsibility of DIST. It did
not examine the IT controls over individual application systems or the functionality aspects of
such systems.
6. The audit was conducted in accordance with ISACAs' (Information Systems Audit and
Control Association) Information Systems Auditing Standards, guidelines and procedures. OIOS
obtained an understanding of the computer environment at UNHCR by using a structured
questionnaire. Tailored audit programmes covering the audit objectives were developed on the
basis of the completed questionnaire. During the audit, OIOS analysed applicable data and
reviewed the available documents and other relevant records. Interviews were held with selected
managers and staff.
-----------------------------------------------------------------------------------------
2
IV. AUDIT FINDINGS AND RECOMMENDATIONS
A. Governance
(a) ICT governance
7. OIOS welcomes the establishment of the Information and Communications Technology
(ICT) Governance Board1 and sees this as an important step in strengthening UNHCR's
governance structure over ICT. In particular OIOS notes that while ultimate responsibility
remains with the High Commissioner, Board meetings are chaired by the Deputy High
Commissioner who will be accountable for all decisions, and will decide where consensus cannot
be reached2. This is a critical aspect of governance which in OIOS' experience with other
organizations that when it was absent or not properly enforced has led to the failing of similar
bodies.
8. OIOS notes that the terms of reference of the Board are focussed on the coordination of
ICT investments and projects. During its first three meetings, the Board mainly dealt with the
review and assessment of proposed ICT projects. While this is an important element of ICT
governance, the ICT Governance Board also has an important role to play in the formulation and
implementation of ICT policies. DIST would be expected to take the lead in the initiation of
projects such as developing and implementing an information management strategy, security
policies and business continuity plans, but these projects require an input from all user
departments. If this is lacking, it is not likely that such policies will be effective. The ICT
Governance Board is therefore the right forum for coordinating these matters.
9. Business owners groups provide an important forum where users can express their
requirements with regard to their systems. They also help to coordinate ICT matters in particular
with respect to security and system modifications. For MSRP, there are two such groups, one for
the Finance and Supply Chain modules and another for HR/Global Payroll. Discussions with
management indicate that the former is largely focussed on Headquarters and field operations are
not sufficiently involved. With the implementation of MSRP, it is important that the business
owners formally take over the ownership of an application once this has been delivered and they
are satisfied it meets their requirements. There should be a mechanism that clearly defines the
ownership of all the systems and data, and identifies the parties and their respective
responsibilities to such systems and data. These details should be recorded on an electronic
register as discussed under Section F of this report.
10. The Department of International Protection Services and the Division of Operational Support
operate non-MSRP systems. Both the Directors of DIPS and DOS are represented on the ICT
Governance Board. This is a welcome move towards improving governance over ICT within the
whole of UNHCR. There is still a risk however that an ICT project is initiated by one of these entities
without DIST being given the opportunity to review the technical specifications for compatibility with
existing systems and application of appropriate methodologies for project management and delivery.
DIST indicated that this had led to incompatibility of systems in the past. Furthermore, neither DIPS
nor DOS has a business owners group, and there is room for more synergy; for example with DIPS and
DOS adopting the change control procedures operated by DIST.
1
ADM-01-01 and IOM/FOM 57/2006 of 28 June 2006
2
ibid. para. 8
-----------------------------------------------------------------------------------------
3
Recommendation:
The UNHCR's ICT Governance Board should:
(a) Extend its role and terms of reference from the approval of
business cases for ICT initiatives to include the oversight and
coordination of all ICT strategic and policy matters throughout
UNHCR; and
(b) Ensure that the ownership of systems and data is clearly
defined and reflected in the electronic register (Rec. 01).
11. DIST agreed with the recommendation. The electronic register will be included in DIST's
Strategic Plan for the coming biennium. DIST stated that the scope and timing of project to
implement would this be defined by June 2007. OIOS will close the recommendation once the role
and terms of reference of the ICT Governance Board are extended.
12. OIOS noted that the discussions at the first three ICT Governance Board meetings strongly
indicated the need for pre-screening to review business cases to make sure that the scope of
projects is properly defined, the benefits are clearly set out and all the cost elements have been
captured. OIOS recommended setting up a task force for reviewing the business case for ICT
initiatives on a project-by-project basis to ensure the accuracy of the functional aspects prior to the
business case being presented to the ICT Governance Board. OIOS was pleased to note that DIST
Client Managers work with units preparing business cases for projects to ensure robust
submissions reach ICT Governance Board.
13. The ICT Board's terms of reference state that it is the responsibility of the business units to
prepare the business case outlining how the project supports the organization's strategic
objectives, the costs/benefits, the resource requirements and the funding sources.3 It is not yet
clear what will happen after the business case for the project has been approved, and whether there
will be regular up-dates on the actual costs vis-�-vis the approved budgeted amount. It is
important that the Governance Board is kept informed if the final product does not meet the
original objectives or if cost overruns are incurred.
Recommendation:
The UNHCR's ICT Governance Board should request that the
Chief Information Officer establishes a mechanism for monitoring
and reporting to the Board the actual costs and results of each
project against the approved budgets and plans (Rec. 02).
14. DIST agreed with the recommendation and stated that there is a proposal to create a
Project Management Officer in DIST to monitor expenditure on projects, technical issues and
report on return-on-investment. This will be included in DIST's Strategic Plan for the coming
biennium. OIOS will close the recommendation on confirmation that a mechanism has been
established to monitor and report to the Board on the actual costs and results of the approved
projects.
3
ibid. para. 6
-----------------------------------------------------------------------------------------
4
15. The current regulatory definition of the term "UN Secretariat"4 includes UNHCR.
However UNHCR has operated independently of the ICT governance structures set at the UN
Secretariat level, such as the Information and Communications Technology Board. A number of
official documents5 have been issued by the UN Secretariat with the aim of ensuring coherent and
coordinated global management ICT initiatives across departments and duty stations. The
UNHCR Electronic Mail Policy issued in June 2006 clarifies how the Secretary-General's Bulletin
on the "Use of Information and Communication Technology Resources and Data"6, applies to e-
mail and related services and facilities. Other than this, UNHCR has not followed the instructions
set out in these documents and neither has there been an approach on the Secretariat's part
requesting UNHCR do so. The lack of coordination on ICT matters can lead to divergent policies,
while failure to take advantage of the investment already made to develop strategies and policies
could result in a waste of resources.
16. In OIOS' view, UNHCR should clarify its position with regard to compliance with ICT
regulations and rules issued by the UN Secretariat. If UNHCR remains outside the UN
Secretariat's ICT governance structure, OIOS still sees plenty of opportunity for benefits to be
gained through close cooperation between it and the UN Secretariat. For example, the UN's
Information Technology Services Division (ITSD) has specialized units for the undertaking of ICT
risk analysis that would form the basis for security and business continuity plans. Earlier this year,
this Division obtained ISO 27000 certification covering the network systems at UN Headquarters
and is now providing training and guidance to ICT offices in duty stations to help them achieve
certification. On its part, UNHCR can provide advice based on its experience in implementing a
global ERP system. The two parties should also collaborate towards the establishment of a
common chart of accounts in compliance with International Public Sector Accounting Standards.
Recommendation:
The UNHCR's Deputy High Commissioner, as Chairperson of the
ICT Governance Board should liaise with the Chairman of the
Secretariat's Information and Communications Technology Board
and clarify UNHCR's position with regard to the application of
ICT-related instructions issued by the Secretariat and seek to
establish a framework through which both parties will benefit
through the exchange information and know-how (Rec. 03).
17. DIST agreed with the recommendation. UNHCR is clarifying its position vis-�-vis ICT-
related instructions issued by the Secretariat. As a programme of the Secretary-General, UNHCR
(the DHC) cooperation with the Secretariat takes place through the High Level Committee on
Management (HLCM) ICT Network. OIOS will close this recommendation on confirmation that
UNHCR's position with regard to the application of ICT-related instructions issued by the
Secretariat is clarified and a framework, at the Director level, is established for the exchange of
information.
4
ST/SGB/2002/11
5
These include: GA Document A/55/780 "Information Technology in the Secretariat: a plan of action", GA
Document A/57/620 "Information and Communication Technology Strategy", ST/SGB/2003/17 "Information and
Communications Technology Board", ST/SGB/2004/15 "Use of Information and communication technology
resources and data" and ST/AI/2005/10 "Information and communication technology initiatives".
6
ST/SGB/2004/15 of 29 November 2004
-----------------------------------------------------------------------------------------
5
(b) The role of the Division of Information Systems and Telecommunications
18. Over the past four years, UNHCR's ICT resources have been focused on the
implementation of MSRP. With the rolling out of the HR/Global Payroll modules, the role of
DIST will shift from that of developing, project managing and implementing core systems to that
of a service provider. The latter role will be aimed at maintaining and running systems that will
allow users easy access to data that is complete, up-to-date and reliable. DIST also has the
responsibility for ensuring that the investment made in the new systems is exploited to the full.
The current structure and the ICT roles and responsibilities within DIST will need to be redefined.
Some posts will no longer be required and there will be a need to re-allocate and re-train some
staff.
19. Unless DIST has full responsibility for all ICT products and services within UNHCR, it
will be difficult to coordinate ICT matters, including the funding of ICT resources. This may lead
to duplication, inefficient provision of services to users, failure to anticipate the needs of UNHCR,
and possibly a lack of accountability and transparency. On the other hand, full responsibility for
all ICT products and services within UNHCR will make it easier for DIST to adopt a client-
oriented approach. It will also give UNHCR the opportunity to rationalize the budgeting and
funding of ICT resources.
Recommendation:
The UNHCR Division of Information Systems and
Telecommunications should be assigned full responsibility for all
ICT products and services within UNHCR (Rec. 04).
20. DIST agreed with the recommendation. This is being implemented through the office of the
DHC, the CIO, the ICT GB and is reflected in current ORB procedures. Appropriate doctrine
continues to be disseminated to the Organisation in the form of IOM/FOMs (policies) and
memoranda on important issues pertaining to this. OIOS will close this recommendation on
confirmation that full responsibility has been assigned to DIST.
B. Planning and Organization
(a) Information Management strategy
21. UNHCR does not have an Information Management (IM) strategy. The Joint Inspection
Unit, in their 2002 report7 listed their observations concerning Information Management within
the United Nations System Organizations, noting that:
Managing information resources effectively is not only a major organizational
challenge but also provides an opportunity for enhancing efficiency.
The first step towards effective management of information resources is to develop
an organization-wide information management strategy.
The information management strategy is distinct from an information technology
strategy in the sense that information technology are tools for an effective
information management process; the information-management strategy should focus
on identifying mission-critical information as well as system(s) required for effective
7
JIU/REP/2002/9 Managing Information In The United Nations System Organizations: Management Information
Systems
-----------------------------------------------------------------------------------------
6
information management.
Many organizations developed various IM systems without due regard to their
integration into an organization-wide system designed to facilitate improved
management.
In view of the fact that implementation of projects for IM systems, in particular ERP
systems, is a resource-intensive undertaking, effective project management is critical
to successful development and introduction of such systems.
Many UN system organizations have failed to meet the necessary and sufficient prior
conditions required for cost-effective implementation of an ERP system, including
streamlining existing work processes, putting a management structure in place and
establishing an operational plan, as well as identification of requirements and in-
depth review of functionality that ERP applications provide.
22. Although ideally an IM strategy should have been formulated before embarking on the
development of different information systems to capitalize on the efficiencies afforded by the new
systems and infrastructure, an IM strategy would define the role of ICT in information
management and clarify, for example, the linkages between MSRP and other systems. In addition,
the IM strategy would be a key reference for governance and oversight.
23. On the other hand, the absence of an IM Strategy could defeat the objective of consolidated
and integrated data management systems. There is a risk that management and users will push for
modifications to the system to accommodate existing processes. This would result in inefficiencies
and would invalidate the investment made in MSRP.
24. The responsibilities called for by this task are wider in scope than those that fall within the
duties of the CIO, and should be directed by the ICT Governance Board. The Board can appoint a
working group to prepare a detailed work plan with timelines, benchmarks and resources for
developing and implementing an IM strategy. The strategy would include a definition of mission-
critical information, and the identification of any business processes that need to be changed in
order to take full advantage of the facilities afforded by UNHCR. While OIOS is pleased to note
that the ICT Governance Board has already tasked the Director of DOS to constitute an Extranet
Task Force to help guide and integrate the development of information management initiatives,
the ICT Governance Board should ensure that UNHCR's ICT strategy is updated to reflect the
conclusions deriving from the IM Strategy.
Recommendation:
The UNHCR's ICT Governance Board should establish a
working group to draw up a detailed work plan with timelines,
benchmarks and resources required to develop and implement an
overall Information Management strategy. The ICT strategy
should be updated to support the objectives defined in the IM
Strategy (Rec. 05).
25. DIST agreed with the recommendation. The DHC has assigned the Director of External
Relations to prepare TORs and chair a task force that will develop and implement an
organisationwide Information Management strategy. DIST will be an important member of this
task force. OIOS will close this recommendation once the Information Management strategy has
been established.
-----------------------------------------------------------------------------------------
7
(b) Post-implementation review of MSRP
26. UNHCR has heavily invested in the implementation of MSRP. While labour cost-savings
will materialize over a period of time, the efficiencies gained through the streamlining of
processes should be immediately visible in a number of areas: for example, the ability to track
funds through UNHCR and accurately report on expenditure and facilitate decision-making, and to
increase the speed and accuracy with which goods can be purchased and tracked from supplier to
beneficiary.
27. Once the HR/Global Payroll modules are implemented during 2007, DIST should carry out
a post-implementation review (PIR) to evaluate the investment made in MSRP, assess the benefits
� both to UNHCR staff and the recipients of UNHCR's services � and compare the original
claimed benefits and costs to actual ones. Also, if the information is available, such a review can
determine with some accuracy the real cost of the MSRP project, including the true cost of user
time in terms of business disruption, training, learning curves and the rise in IT support
immediately following implementation. The review would also help to identify lessons learned,
which in turn can be applied to on-going projects such as the Treasury Management System.
28. Apart from the accountability aspect, it is important that any problems are immediately
addressed, otherwise users may not take full advantage of the features offered by the system. A
typical risk area is that of report generation, where users may end up creating their own
spreadsheets to calculate data, with the inefficiencies and risks to the reliability of the data that
this brings with it, when the system provides the facilities to extract the reports in question. The
best way to address these risks is to conduct a User Satisfaction Survey specific to MSRP to assess
the system's "functional fit". This would help to assess users' preparedness and their level of
acceptance of the system, ascertain the extent to which users are utilizing the functionalities
provided by the various modules of the system and consequently the extent to which UNHCR is
gaining from the investment made.
Recommendation:
The UNHCR Division of Information Systems and
Telecommunications with the Business Owners should carry out a
post-implementation review of the MSRP project to evaluate the
investment made and identify any aspects that need to be addressed
to ensure that users take full advantage of the facilities afforded by
the system. Preferably the Deputy High Commissioner, as the
chairperson of the ICT Governance Board, should initiate and
sponsor the review. The review should also determine what went
well and what did not, and any lessons learned should be applied to
on-going and future ICT initiatives (Rec. 06).
29. DIST agreed with the recommendation. The review will be included in DIST's Strategic
Plan for the coming biennium. The overall plan would be that the Business Owners execute the
evaluation with input from DIST with a view to completing the review in 2008. OIOS will close
this recommendation on the completion of the evaluation.
-----------------------------------------------------------------------------------------
8
C. Financial Management and Human Resources
(a) Funding of ICT resources and Service Agreements
30. With the MSRP project nearing completion, the budgeting process for DIST should be
reviewed. In the opinion of the CIO, there should be a three-tier costing structure, namely,
operational costs to incorporate the costs necessary to keep things going as they are; fixed costs,
such as contracted costs for hosting and other services; and the costs of investing in ICT
initiatives. OIOS agrees with this structure in principle. Investment in new systems is now
covered by the procedures set by the ICT Governance Board. DIST should continue to seek ways
of optimizing the fixed ICT costs through the outsourcing of certain services, in particular within
the UN Common System. OIOS notes that the UN International Computing Centre (ICC) is used
for hosting services and UNHCR has recently entered into a contract for VSAT. Additionally
other areas, such as the outsourcing of the provision of help desk services may be advantageous.
31. It is also important that the budgeting and funding aspects are directly based on the ICT
strategy and on service agreements between DIST and the user units. At present there does not
seem to be a proper link between the budgeting and funding processes. Therefore with operational
costs, OIOS sees scope for conducting a study to determine the criteria and the funding each unit
should contribute towards the maintenance of existing systems. Criteria may include the number
of workstations and users.
32. The CIO told OIOS that DIST will be nominating a number of product managers to be
responsible for seeing that the particular product or service will continue to support user
requirements but as yet there are no service delivery or service level agreements between DIST
and UNHCR's various user units/sections. Unless the standard of all services expected of DIST
are clearly defined and formalized in a service catalogue between DIST and the individual user
units (with any additional services being defined in a bilateral agreement), there is a risk that the
roles and responsibilities of both the providers and users of ICT services will not be properly
understood. This may lead to a lack of accountability and situations where users expect and
demand certain services that DIST is unable to deliver or arrange to be outsourced in time. On the
other hand, a move towards activity-based budgeting and the linking of funding to service
agreements should bring about more accountability and transparency in the use of funds for ICT
services and products.
Recommendations:
The UNHCR Division of Information Systems and
Telecommunications should conduct a study to determine the
criteria and the amount of contribution each unit should make
towards its operational costs (Rec. 07).
-----------------------------------------------------------------------------------------
9
The UNHCR Division of Information Systems and
Telecommunications should identify all those ICT services that it is
mandated to provide to each user unit and have these services and
respective responsibilities defined in a service catalogue, a copy of
which should be made available on the intranet. Any services
additional to those in the catalogue should address the resource
implications and be defined in a bilateral service agreement between
DIST and the user unit concerned (Rec. 08).
33. DIST agreed with the recommendations stating that these principles will be included in
DIST's Strategic Plan for the coming biennium. OIOS will close these recommendations on
confirmation that appropriate principles have been established for the provision of ICT services to
user units and subsequent funding of the services.
(b) Training
34. DIST does not have the autonomy to use training funds to ensure that staff in ICT
functions have the necessary skills. ICT training funds should be used for specific and well-
targeted actions, but at this stage there is no established criteria for the allocation of training funds.
Examples of such criteria may include: evidence of demand, direct application of acquired
knowledge/skills, duration, cost and willingness to cost share. Management could set up a points
system based on these criteria and utilize the training funds accordingly. This use of criteria
would also show more transparency in the allocation of funds.
Recommendation:
The UNHCR Division of Information Systems and
Telecommunications should be assigned a budget for training DIST
staff in ICT functions to enable it to meet the ICT strategy
objectives and the obligations contracted in service agreements.
DIST should have full autonomy in the use of these training funds,
based on a set of criteria approved by the ICT Governance Board
(Rec. 09).
35. DIST agreed with the recommendation. DIST elaborated that a training budget is being
included in DIST's Strategic Plan for the coming biennium. DIST will work closely with Budget
and Staff Development Section to devise criteria. OIOS will close this recommendation on
confirmation that a budget for training staff in ICT functions has been made available to DIST.
36. In addition to technical staff, system users should also be provided with a basic level of
training in the use of IT systems. This would help them better utilize the facilities afforded by the
systems and appreciate the risks and measures that should be taken with regard to computer
security. It would make users more self-sufficient to a certain degree and reduce the demand on
DIST's resources. These objectives can be achieved through a UNHCR-wide training programme
under which users of IT systems will participate and obtain the European Computer Driving
Licence (ECDL) certification.
37. OIOS is pleased to note that in October 2006 the ICT Governance Board approved a
business case for improving the basic IT skills of UNHCR staff through training that leads to
ECDL certification. OIOS recommended that this issue be followed up and a consistent plan for
-----------------------------------------------------------------------------------------
10
funding and implementation be established. DIST indicated that it would be on the agenda of the
Governance Board during spring 2007.
D. Implementation and maintenance of systems
(a) Methodologies for ICT projects
38. DIST does not consistently follow a standard methodology for the development of new
systems or projects. These methodologies are important to ensure that major ICT initiatives are
thoroughly planned, adequately staffed, and managed by suitably experienced project managers.
Without a proper methodology there is a risk that the project will not be substantively aligned with
UNHCR's goals and objectives. There is also a risk that a staff member in a field office who has
implemented a computer-based application will depart without leaving sufficient documentation
to enable continued maintenance of the system.
39. DIST stated that it is in the process of developing procedures to ensure that both UNHCR
and user needs are properly defined and incorporated into the systems' designs. However there
are no procedures to ensure that appropriate security and control features are incorporated in
system design and that applications potentially vulnerable to fraudulent programme coding or data
manipulation incorporate special security features and edit checks. The quality of system design,
programming and documentation is not subject to quality assurance testing.
40. The UN Secretariat has adopted the Prince II methodology for all ICT project high-level
evaluation. This methodology addresses the UN Secretary-General's four return indicators for
ICT projects, namely: (a) service improvement through quicker access to information and/or
higher quality services; (b) process streamlining by eliminating duplication and having the
potential for redeployment of resources; (c) leveraging past investments by extending the life of
current systems; and (d) a strong enabler in the decision making process. Once an ICT project has
received the approval of the Project Review Committee, ITSD and DPKO's Communications and
Information Technology Service have been using Rational Rose as a software development tool to
ensure uniform architectural compliance.
Recommendation:
The UNHCR Division of Information Systems and
Telecommunications should adopt a methodology for the
implementation of new systems and apply this on a consistent
basis. This methodology should include procedures aimed at
ensuring that appropriate security and control features are
incorporated within the system design as well as quality assurance
testing (Rec. 10).
41. DIST agreed with the recommendation and considered it implemented, as processes are
aligned and consistent with the ICT GB process/methodology established by UNHCR. OIOS
appreciates the efforts made to create a common methodology and considers them a good starting
point for methodology implementation. However, OIOS considers that the current methodology
documentation is still not fully complete and further work is required as outlined in the
recommendation above.
-----------------------------------------------------------------------------------------
11
(b) Change control
42. DIST maintains four separate system environments; one for development, two for testing,
and the live (production) environment. After modifications have been tested and approved, the
programme is transferred to the second test environment (referred to as support/test) to await
transfer to production. A programme that has been tested and approved may remain in the
support/test environment for up to a month before being transferred to the live environment while
matters such as user training are finalized.
43. OIOS pointed out that with several moves between the environments there is a risk of
unauthorized modifications being made to a programme before its transfer to production. DIST,
however, is convinced that their procedures with technical and functional sign-offs to different
environments mitigates such risk
E. IT Security and Safety
(a) Information systems risk analysis and security policy
44. The report of the UN Board of Auditors (BOA) to the General Assembly for the period
ended 31 December 20058, includes a section titled "Information and communication technology
fraud prevention and management". OIOS has taken note of the contents of this section and
UNHCR's responses and therefore will not repeat the BOA's recommendations here. While the
review undertaken by OIOS was at a high level and did not include detailed testing, we would like
to draw management's attention to other matters concerning IT security. OIOS believes that the
implementation of the respective recommendations will bring UNHCR more in line with best
practices and reduce the risk of fraud through unauthorized access to its systems and data.
45. In response to the BOA's recommendations, UNHCR stated that DIST has formed a
working group to develop an information security policy. In OIOS' opinion, the development of a
security policy should be preceded by an information systems risk analysis to ensure all risk areas
are addressed. This is particularly important where applications are linked through a network,
since a fraudster could gain access to an important system via a minor one. The analysis would
also prevent an overstatement of controls that would reduce efficiency unnecessarily. This risk
analysis would be useful when developing business continuity plans. The UN Secretariat's ITSD
has conducted ICT Security Risk Assessments at all Offices away from headquarters. DIST may
wish to take advantage of the experience gained through these reviews and request ITSD to
conduct a similar one at UNHCR.
46. The security policy will need to be supported by detailed procedures and instructions
covering all aspects of computer security within UNHCR. These should be grouped in a security
manual. Given UNHCR's operational and IT environments, it will not be practical to maintain
close supervision over all users and it is important that staff are made aware of good practices with
regard to computer security so that they will exercise self-discipline. Copies of the manual and its
distribution should be controlled so as not to compromise security. A copy of the security policy
and selected procedures should be made accessible to all staff over the intranet. Periodically,
DIST should issue reminders to staff on the need to adhere to the security policy and procedures.
8
A/AC.96/1025 of 13 September 2006
-----------------------------------------------------------------------------------------
12
Recommendations:
The UNHCR Division of Information Systems and
Telecommunications should undertake an information systems
risk analysis and consider requesting the UN Secretariat's
Information Technology Services Division to perform an ICT
Security Risk Assessment of its core application systems. The
results of the risk analysis would serve as the basis for
formulating a comprehensive security policy and procedures (Rec.
11).
The UNHCR Division of Information Systems and
Telecommunications should group all documentation related to
computer security in a security manual. Ownership and
circulation of the manuals should be controlled. The security
policy and those aspects of the manual that do not compromise the
control over security should be made available over the intranet.
Reminders to staff on the need to adhere to the security policy and
procedures should be issued at least once a year (Rec. 12).
47. DIST agreed with the recommendations. DIST stated that UNHCR would conduct a risk
analysis/quality assurance exercise. It is still to be determined whether it will be performed with
in-house resources or through UN ITSD. DIST also informed OIOS that the security manual is
under preparation. One of the first deliverables was the implementation of password security
procedures (IOM/FOM/86/2006). OIOS welcomes the work already done by DIST and will record
the recommendations as implemented on confirmation that a risk analysis has been conducted and
the security manual is complete.
(b) Security administration
48. The administration of security over UNHCR's automated systems is currently fragmented
and not sufficiently independent. This function calls for coordination and should be detached
from those of systems development and computer operations. OIOS is pleased to note that in June
2006 the Deputy High Commissioner circulated an Electronic Mail Policy to all staff members.9
In the event of breaches of the standards of acceptable use, the policy refers to the Staff Rules.
OIOS, however, would like to see specific reference to the responsibility for monitoring
compliance with the policy and the steps to be taken in the event of non-compliance.
49. A person who is sufficiently independent of day-to-day IT operations should be designated
as Chief Information Security Officer (CISO). This person would be responsible for the overall
monitoring of compliance with the security policy and procedures. His or her duties would
include keeping all security-related documentation up-to-date, performing periodic or cyclical
reviews of access rights to ensure they conform with the policy, reviewing security reports and
informing the CIO of any security breaches or unauthorized attempts to access data.
50. Given the nature and size of UNHCR's computer environment, the CISO will need to be
supported by focal points within each business unit. Each of these units should designate two staff
members as a Security Liaison Officer (SLO) and an alternate. The SLO will be the first point of
9
ADM-01-01 and IOM/FOM 57/2006 of 28 June 2006
-----------------------------------------------------------------------------------------
13
contact for users for all matters that relate to computer security. Only those matters that cannot be
resolved by the SLO would be escalated to the CISO. The SLOs would also be responsible for
reviewing the security reports concerning their business unit and to take appropriate follow-up
action. DIST proposed involving Inspector General's Office as a coordinator, in line of best
practices to further separate execution from oversight.
Recommendations:
The UNHCR Division of Information Systems and
Telecommunications should assign a person who is independent
of systems development and maintenance as Chief Information
Security Officer (Rec. 13).
The UNHCR Division of Information Systems and
Telecommunications, through the ICT Governance Board and
possibly in cooperation with Inspector General's Office, should
request each business unit to designate a Security Liaison Officer
and an alternate who will be the first point of contact for all
matters related to computer security within the unit. Details of
these persons should be kept up-to-date on the intranet (Rec. 14).
51. DIST agreed with the recommendations. A proposal to appoint an Information Security
Officer will be submitted to ORB in March 2007 as part of the 2008 Headquarters Plan of DIST.
Implementation of the recommendation concerning the Security Liaison Officers is contingent on
the appointment of the Information Security Officer. OIOS takes note of the positive steps taken
and will keep the recommendations open pending confirmation that a Chief Information Security
Officer has been assigned and Security focal points have been designated.
(c) Audit trails and security reports
52. OIOS reviewed a DIST document titled "Application Security Strategy; Management
Systems Renewal Project" dated 16 April 2003. The objective of this document is limited to the
activities involved in the use and application of security software within the MSRP system and does
not cover other areas such as databases, file servers or networks. Even within the MSRP system,
the document does not make reference to security violation reports and audit trails. It does not
specify the persons who will be responsible for seeing that the policies and procedures within the
strategy are applied.
53. In the case of ERP systems in particular, the focus should be on having in-built security
features to prevent any attempt at unauthorized access to systems and data. However it is still
advisable to have a robust system based on audit trails and security reports for detecting such
attempts. If this is absent, there will be a risk that successful unauthorized attempts at data access
will remain undetected.
54. It is unclear whether the current audit trails and security violation reports are adequate. These
reports should not merely serve as events logs, but should provide enough detail to trace the origin of
the violation. To be feasible for control purposes, these reports should be designed to record
exceptions. For example, the report that would show unsuccessful login attempts and needs to be
designed in a way so that only instances of repeated failed access attempts are reported for
investigation.
-----------------------------------------------------------------------------------------
14
55. There is a need for formal procedures covering the generation, review and follow-up action
on audit trails and security reports. At present, audit trails are normally reviewed on an exceptions
basis. Reports relating to security violation are not printed and reviewed as standard practice, and
the analysis of the audit trail information and the security violation information is not taking place.
56. DIST should therefore implement a clear policy covering on-line access to security reports,
the frequency of their generation and their distribution, as well as responsibility for their review and
follow-up action. These tasks would be assigned to the Chief Information Security Officer and the
Security Liaison Officers.
Recommendation:
The UNHCR Division of Information Systems and
Telecommunications working group that has been entrusted with
developing a security policy for UNHCR should, in cooperation
with business units and possibly with the Inspector General's
Office:
(a) Review the existing audit trails and security reports for adequacy
and make recommendations for improvement; and
(b) Implement a policy for the generation and review of security
reports and follow-up action (Rec. 15).
57. DIST agreed with the recommendation. DIST informed OIOS that work on information
security policy has already commenced and completion is anticipated by the end of 2007. OIOS
takes note of the work done and will keep the recommendation open pending the issuance of the
security policy.
(d) Penetration testing
58. An ERP system such as MSRP has inherent security risks due to the large number of users
accessing the system, the large volume of transactions per employee, and the decrease in the paper
trail. There are also risks associated with the sharing of information with third parties such as
suppliers by the linking of systems. Within certain modules (e.g. accounts payable), the system
might allow a user to modify static data temporarily and change it back shortly afterwards with no
audit trail.
59. As a result of the above, ERP systems, while bringing about increased efficiencies through
the streamlining of business processes and the significant reduction or elimination of manual
processes, provide an increased opportunity for fraudsters, especially for insiders. Management
therefore needs to implement effective security mechanisms to address the risk of fraud. It will
not be able however to obtain assurance regarding the effectiveness of these mechanisms unless
they are subject to rigid testing. The best way to evaluate the effectiveness of the system's
security features and identify any weaknesses would be by conducting penetration testing by an
independent party.
-----------------------------------------------------------------------------------------
15
Recommendation:
The UNHCR Division of Information Systems and
Telecommunications should evaluate the effectiveness of all
systems security features and those of the network infrastructure
by conducting penetration tests (Rec. 16).
60. DIST agreed with the recommendation stating that implementation is contingent on the
appointment of an Information Security Officer. If this would not be feasible then DIST shall seek
external resources, e.g. consultants. OIOS takes note of DIST's response and will keep the
recommendation open pending conformation that penetration tests have been conducted.
(e) Disaster recovery and business continuity planning
61. UNHCR does not have a formal plan aimed at ensuring that in the event of a major disaster
affecting its computer facilities, management would be able to mobilise alternate arrangements for
processing data and continue to provide its core services efficiently while the facilities are
properly restored. While effective backup procedures and power supply protection provide a
measure of insurance against system failures, in the event of a major disaster such as a fire, it is
unlikely that the damage will be restricted to the computer equipment but will also affect other
areas. Such a plan would also detail the stages to be followed to ensure that UNHCR's critical
functions are properly recovered and become operational within acceptable timescales.
62. Business continuity planning is wide in scope and requires input from all user units. An
effective business continuity plan will need to be preceded by a risk assessment to define the
mission-critical functions and data, the systems supporting them and the impact that their
unavailability will have on UNHCR. It also requires coordination with external parties such as the
suppliers of hardware, software and communications service and equipment. In the case of
UNHCR, this means close coordination with ICC with which it has an agreement for hosting
services covering MSRP.
63. The conduct of such an exercise is demanding on resources and OIOS suggests that
UNHCR takes advantage of the work that has already been undertaken in this area by other
entities within the UN system, especially those like UNDP and UNICEF who have also
implemented ERP systems. The UN Secretariat's ITSD is working on a plan for Global Business
Continuity while DPKO has consolidated planning for business continuity, utilizing its
Headquarters in New York, the UN Logistics Base in Brindisi and the United Nations Office in
Geneva as disaster recovery sites.
Recommendation:
The UNHCR High Commissioner should set up a task force to
deal with business continuity matters throughout UNHCR. This
task force should:
(a) Hold workshops for senior managers to advise and agree
upon the categorization of mission-critical systems and data;
(b) Seek the advice and collaboration of other UN entities that
have already formulated business continuity plans or are at an
advanced stage in the process; and
(c) Draw up a project plan for the implementation of a business
-----------------------------------------------------------------------------------------
16
continuity plan for UNHCR (Rec. 17).
64. DIST agreed with the recommendation stating that implementation is contingent on the
appointment of the Information Security Officer. If this would not be feasible then DIST shall seek
external resources, e.g. consultants. OIOS appreciates the efforts UNHCR has done in producing
a Contingency Plan for UNHCR Headquarters in case of a pandemic (avian flu) and considers this
a good starting point for a more comprehensive business continuity plan.
F. Management and Procurement of IT Assets
(a) Monitoring end-user developed applications
65. DIST appears to have full visibility of MSRP and other application systems that are used
centrally by multiple divisions, and has control over which systems are allowed to run over the
networks. However from our discussions it emerged that DIST is not aware of all the systems and
databases that are developed by end-users and run on stand-alone PCs. This applies to
units/sections at Headquarters and even more so to field offices.
66. If UNHCR is not aware of existing applications there can be duplication of systems and a
waste of effort. There is also a risk that reports presented to management for decision-making will
contain inaccurate data derived from end-user developed applications such as spreadsheets that
have not been subject to quality assurance.
67. Details of all UNHCR's ICT end-user applications, including reference to licence
agreements, should be recorded in an electronic register. This exercise will require substantial
effort and a designated person within each office should be responsible for updating the register
with details of the ICT applications located in that office. Application systems should be
categorized by their significance or criticality, and there should be an indicator to show the status
of an application, i.e., whether it is in use, being developed or approved but not yet underway.
DIST should have a monitoring role to ensure that the register is being kept up-to-date, and should
perform checks on the completeness and accuracy of the data. A complete and up-to-date register
of ICT applications will provide a basis for control and, in the longer-term, help UNHCR save
money through rationalization.
68. DIST should also provide users with guidelines on best practices to safeguard the
integrity of data in reports that are generated from user-developed spreadsheets, security of back-
up media, and the installation and upgrading of virus-detection software on laptops.
Recommendations:
The UNHCR Division of Information Systems and
Telecommunications should set up an electronic register to record
details of all the ICT applications that belong to UNHCR. Each
office should appoint a focal point with responsibility for updating
the register while DIST should monitor the currency of the
register data and perform checks for its completeness and
accuracy (Rec. 18).
-----------------------------------------------------------------------------------------
17
The UNHCR Division of Information Systems and
Telecommunications should periodically provide users with
guidelines that will highlight the risks related to end user
computing and provide guidance on safeguards and best practices
to mitigate these risks (Rec. 19).
69. DIST agreed with the recommendations. The electronic register will be included in DIST's
Strategic Plan for the coming biennium. For the guidelines DIST elaborated that these would be
included in the information security guidelines. OIOS takes note of DIST's response and will
keep the recommendations open pending the development and implementation of an electronic
register and the dissemination of information security guidelines highlighting the risks associated
with developing ad hoc systems.
V. ACKNOWLEDGEMENT
70. I wish to express my appreciation for the assistance and cooperation extended to the
auditors by the staff of UNHCR.
Eleanor T. Burns, Acting Chief
UNHCR Audit Service
Office of Internal Oversight Services
-----------------------------------------------------------------------------------------